如何通过gcloud cli args或环境变量将secretEnv指定为cloudbuild.yaml [英] How to specify secretEnv to cloudbuild.yaml via gcloud cli args or environment variables
问题描述
If I follow the cloud build document, I have to specify encrypted secret on cloudbuild.yaml.
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
secretEnv:
MY_SECRET: <base64-encoded encrypted secret>
即使已加密,我也不会在代码中提交秘密值.请告诉我另一种方式.
Even if it is encrypted, I don't commit secret value at code. Please tell me another way.
例如通过gcloud的args构建提交命令或环境变量,...等
ex. via args from gcloud builds submit command or environment variables,...etc
推荐答案
您可以使用 Google秘密管理器代替.我们仍在更新文档,但是有一个示例如何将其与Cloud Build一起使用:
You can use Google Secret Manager instead. We're still updating the documentation, but there is an example of how you can use it with Cloud Build:
首先,创建一个秘密:
$ echo -n "my-secret-data" | gcloud beta secrets create "my-api-key" \
--replication-policy "automatic" \
--data-file -
授予Cloud Build Service帐户访问您的机密的权限:
Grant the Cloud Build Service Account permission to access your secret:
$ gcloud beta secrets add-iam-policy-binding "my-api-key" \
--member "serviceAccount:<project-number>@cloudbuild.gserviceaccount.com" \
--role "roles/secretmanager.secretAccessor"
然后在构建步骤中检索秘密:
Then retrieve the secret in your build steps:
steps:
- name: 'gcr.io/cloud-builders/gcloud@sha256:c1dfa4702cae9416b28c45c9dcb7d48102043578d80bfdca57488f6179c2211b'
entrypoint: 'bash'
args:
- '-c'
- |
gcloud beta secrets versions access --secret=my-api-key latest > /secrets/my-api-key
volumes:
- name: 'secrets'
path: '/secrets'
- name: 'my-step'
volumes:
- name: 'secrets'
path: '/secrets'
args: # ... /secrets/my-api-key contains the secret
这篇关于如何通过gcloud cli args或环境变量将secretEnv指定为cloudbuild.yaml的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!